Last active
August 29, 2015 14:17
-
-
Save thejh/f527f5c2551bd8a51e63 to your computer and use it in GitHub Desktop.
Android Security issue [#1086986860] Stealing login data from the browser, reported 02.08.12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Hello, | |
I've attached a little PoC, works for me on Android 4.1.1. Usage: | |
- install the app | |
- open it | |
- press the button | |
- wait a little bit | |
- see your saved login data for various websites in an alert window (as raw sqlite file dump) | |
How it works: | |
- launch a small http server | |
- point the browser to the http server | |
- page that loads auto-submits a form with an input field containing a <script> tag | |
- browser puts the field's value into /data/data/com.android.browser/databases/webview.db | |
- server notices POST from the form, waits a little bit, then points the browser to | |
/data/data/com.android.browser/databases/webview.db (you need a small trick to make that | |
work) | |
- browser interprets the file as HTML, executes the JS code in it | |
The small trick is to specify "application/x-webarchive-xml" as MIME type. | |
EDIT: | |
PoC video is at https://www.youtube.com/watch?v=3A3hkUkR3ug now | |
PoC APK is at http://var.thejh.net/browserxss.apk | |
PoC source is at http://var.thejh.net/BrowserXSS.tgz |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment